VMWare WebWorks XSS (SS-2009-001)

Dec 15, 2009

 

  • Title: VMWare and WebWorks XSS
  • Version: 1.0
  • Issue type: Cross-site scripting
  • Affected vendor: VMWare, WebWorks
  • Affected product: VMWare various, WebWorks various
  • Release date: 15/12/2009
  • Discovered by: Alex Kouzemtchenko
  • Issue status: Patch available

Summary

During the course of our research at stratsec (www.stratsec.net) we have identified several cross-site scripting (XSS) vulnerabilities in the latest version of the VMWare Infrastructure Web Access system used in several VMWare products. After subsequent discussion with VMWare, the issue was identified to be present in a third party component utilised by VMWare, namely WebWorks Help.

Description

WebWorks Help is an output format that allows online Help to be delivered on multiple platforms and browsers, which makes it easy to publish information on the Web or on an enterprise intranet. WebWorks Help is the framework used for creating the online help pages that are available in VMware WebAccess, Lab Manager and Stage Manager.

Two types of DOM-based XSS vulnerabilities were identified. In the first case, JavaScript/HTML code was identified in three separate pages and takes un-trusted input from the URL and inserts it into dynamically executed JavaScript. This code was identified on the following pages:

  • http://vmwarehost/ui/help/en_US/index.html http://vmwarehost/ui/help/en_US/wwhelp/wwhimpl/api.htm http://vmwarehost/ui/help/en_US/wwhelp/wwhimpl/common/html/frameset.htm

In the second case, the opener object was trusted by a piece of JavaScript code to be provided by non-malicious VMWare code.

This was identified on the page at: http://vmwarehost/ui/help/en_US/wwhelp/wwhimpl/common/html/bookmark.htm

Impact

In general cross-site scripting vulnerabilities allow the theft of credentials associated with the domain on which the XSS bug exists.

In this particular case an exploit would grant an attacker access to the VMWare Infrastructure Web Access interface which can be used to access the console interface to any virtual machines which the user has access to, change networking modes for virtual network devices, create virtual machines, etc.

Affected Products

  • VMWare vCenter 4.0
  • VMWare Server 2.0.2
  • VMWare ESX 4.0
  • VMWare Lab Manager (all)
  • VMWare Stage Manager (all)
  • WebWorks ePublisher 2009.2 - WebWorks Help 5.0
  • WebWorks ePublisher 2009.1 - WebWorks Help 5.0
  • WebWorks ePublisher 2008.4 - WebWorks Help 5.0
  • WebWorks ePublisher 2008.3 - WebWorks Help 5.0
  • WebWorks ePublisher 2008.2 - WebWorks Help 5.0
  • WebWorks ePublisher 2008.1 - WebWorks Help 5.0
  • WebWorks ePublisher 9.3 - WebWorks Help 5.0
  • WebWorks ePublisher 9.2.* - WebWorks Help 5.0
  • WebWorks ePublisher 9.1.* - WebWorks Help 5.0
  • WebWorks ePublisher 9.0.* - WebWorks Help 5.0
  • WebWorks Publisher 8.*, WebWorks Help 4.0
  • WebWorks Publisher 7.*, WebWorks Help 3.0
  • WebWorks Publisher 6.*, WebWorks Help 2.0

Proof of Concept

The following proof of concept URLs are functional in Internet Explorer:
 

  • http://vmwarehost/ui/help/en_US/index.html#?"&&"JavaScript:alert(document.cookie)
  • http://vmwarehost/ui/help/en_US/wwhelp/wwhimpl/api.htm#?"&&"JavaScript:alert(document.cookie)
  • http://vmwarehost/ui/help/en_US/wwhelp/wwhimpl/common/html/frameset.htm#?"&&"JavaScript:alert(document.cookie)

References

  • VMWare security advisory: http://www.vmware.com/security/advisories/VMSA-2009-0017.html
  • WebWorks security advisory: http://www.webworks.com/Security/2009-0001/
  • CVE Reference: CVE-2009-3731

Download advisory: SS-2009-001 stratsec VMWare WebWorks XSS Advisory v1.0.pdf